This article has been written by Preetham Kumar.
It has been published by Rachit Garg.
The global health care market is approximately worth a little over 500 billion dollars annually. When we say health care data, our assumption is that it’s related to patient care. But it’s actually not. Although patient care and management was primordial in this field, today, they extend to services like laboratory and diagnostic facilities, introducing the masses to many cutting-edge procedures, managing data collected on patients and professionals and so on. On the operational side of things, medical or health care also includes contributions and support from pharmaceuticals, research and development, medical equipment, logistics storage and management and more. All of these services and operations have one thing in common – the data. This article seeks to provide an insight into the privacy issues surrounding the Electronic Health System in Health Care Organizations.
Data and the pharma sector
For instance, here’s a snippet on how data plays an important role in Pharma-R&D sector when they are trying to develop a new drug. First of all, they would need tons of background data while developing the drug – data on primary consumers, utility, what does it solve, what does it help manage, ingredients, reaction rate, prescribed dosage, procedure to administer, quality and so on. And this is all only to make the drug. They would then have to get approvals for human trials to try and test their drug on a live tissue. Before they resort to this, they would have developed the drug keeping in mind – a sample set of real patients’ data, their vital stats, their bio structure and such other streams of data to substantiate if the drug would work on a human. Without all these data sets, it would be impossible to develop a drug. The primary question is ‘How does one procure a nuanced set of data, of this nature and quality?’ As dramatic as it may sound, they simply ‘steal it’ or procure it ‘the unethical way.’
Health care related patents and copyrights are the nation’s assets. Whoever owns the highest patents or answers to age-old pandemics such as Polio, AIDS, Cancer, Virus-based diseases holds a great deal of leverage and wealth over other countries. Using such sensitive data with permission for R&D is legal, and to some extent, the law allows it. But procuring data without authorization and using it for personal gains or to manipulate a certain sentiment is a criminal act.
With every country and their chains of health-care facilities storing tons of volumes of data in their servers and in electronic form, it has more risks than what it seems theoretically. Since all data today is preferred to be collected, stored, and managed online and in electronic form, the risk or probability of it being stolen is higher. Hackers need not visit a physical place to hack data, they can hack into servers in remote locations from their basements and choose to dispose of it by selling it in the black market. There are plenty of real-life instances where hackers have stolen insurance details (personal and sensitive) of millions of consumers worth crores from multinational corporations and have leaked it (sold it) on the black market to anonymous people. Imagine Western data of this nature and stature falling into the hands of some Eastern country who is known for its monopoly play! The eastern country would seek ways to capitalize on it in an unethical manner. This again would indirectly hurt millions in the west due to import prices, cost of making the drug overseas, taxes levied and more over the dependency it creates of not being able to produce the drug in their own country.
Understanding Health Care Data
Now that we understand the elements and fields of potentially procuring health care data, we need to understand what an actual data record consists of. In India, among other details, it has a person’s name, date of birth, address, Aadhar number, payment details, insurance details, case history, allergies and so on. This is identified as EHR, which expands to Electronic Health Record – basically health data associated with a person who at some point needed medical care and assistance from a registered entity.
The Electronic Health Record Standards (EHR Standards) was formulated by the Ministry of Health and Family Welfare, in India, and it defines EHR as “a collection of various medical records that get generated during any clinical encounter or events.” There are some standards notified under this as well. These Standards are intended to provide for creation and maintenance of health records in a standardized manner so that interoperability of HER’s can be made possible throughout the country.
Need to secure Health Care Data
Further, internationally, Electronic Health Record (EHR) is defined by the International Organization for Standardization (ISO) as “a repository of information regarding the health status of a subject of care, in computer processable form.” In a nutshell, an EHR is a digital print of a person’s medical history stored in the servers/databases of a healthcare organization. In the US, Medical or Personal Health Information (PHI) is defined in HIPAA(Health Insurance Portability and Accountability Act) standards as, “information that is created by a health care provider [and] relates to the past, present, or future physical or mental health or condition of any individual.”
The nature of this data is such that it can identify a person and his personal details. Without authorization, learning about this data is a breach of an individual’s privacy rights which again is a fundamental right [Ref: Justice K S Puttaswamy (RETD) and anr v. Union of India and ors, WP (Civil No) 494 of 2012]. Although India does not have a definition regarding what qualifies as medically sensitive data, it recognizes breach of confidentiality which is basically breach of individual privacy [District Registrar and Collector v. Canara Bank (2005)]. For these reasons and others explained in the first section, there is a dire need to protect data especially when it is confidential, sensitive and personally identifiable.
Current security challenges in the EHS
India has a growing economy. The majority of people want to have a health care file that can be portable anywhere they travel within the country. It is the need of the hour and is a concept that is growing at a rapid pace. Securing this data should also go hand in hand. Security is not only about protecting the data collected; it also includes processes and efforts to maintain it, complete it, and update it. The following are some of the challenges in today’s data security.
- Lack of awareness: This is perhaps the biggest problem to deal with! Health care personnel working on collecting patient’s data need some level of training on handling data securely. Sometimes, a data leak occurs through sheer negligence because someone in the system clicked on a phishing email that allowed a bug in the system. At times, people are not trained enough to store data well due to digital illiteracy. If personnel are not trained with basic guidelines, then it becomes very difficult to arrest the breach or even in some cases avoid it. Health Organizations should consider investing in this sector which currently is lacking in the system. Moreover, the importance of creating awareness on privacy should start with “why?” “why not?” “what and what not to?” and the impact of these careless actions.
- Role based access: Any infra that is set up within the organization that handles patient data should be set up with role-based access. Role based access works on the principle that people who have restricted info on information will also have restricted access to data and other infra.
- Digital literacy: Health care professionals are usually not trained in tech simply because it’s not a part of their day to day job. But with basic training, anyone can learn how to handle tech and software. Digital literacy emphasizes, among many things, the importance of online safety skills, basics of Internet safety such as creating strong passwords, understanding and using privacy settings, and knowing what to share or not on social media. On the other hand, executives and management need to invest in tech which is simple to handle. Most go with fancy looking tech which may be complicated for a majority of the medical staff on ground. Whoever is selecting the app should thoroughly test the infra on usability, user accessibility, and customer centric concerns
Overall, the effort and responsibility for a successful, safe and secure tech should be from both – the staff using the tech, and the executives designing the network.
Data Privacy and Compliance framework – prevent than to cure
Perhaps the cure we are all looking for is a framework based around a privacy-driven approach. One such framework is HIPAA, introduced in 1996 (Health Insurance Portability and Accountability Act, a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge). It consists of three basic rules – HIPAA Privacy rules, Security rules, and Breach Notification rules. Everything designed in a compliance program will contain sub-sections of these in one way or the other.
HIPAA compliance addresses operations like (1) Self-audits (2) Gap identification and remediation (3) Policies and procedures (4) Employee training (5) Business associate management (6) Incident management. Therefore, it may not be a bad idea to develop a software system bearing all the above compliance programs in mind.
The Government of India has a global role to play when it comes to information exchange. It houses one of the largest populated countries of the world with the highest digital illiteracy rate. In 2018, the Parliament introduced the Digital Information in Healthcare Security Act, 2018 (DISHA), for promotion and adoption of e-health standards in India. It is a legislation which aims to provide better data privacy, confidentiality, security and standardization. The idea extends to create regulatory authorities both at central and state level, the National Electronic Health Authority (NeHA) and the State Electronic Health Authority (SeHA).
In 2019, the Personal Data Protection Bill or PDP Bill was also introduced by the Parliament. It applies to processing of personal data where such data has been collected, disclosed, shared or otherwise processed in India. However, all these are yet to go-live. If they do, it will be an inception point of India’s journey in data privacy.
Ultimately, it narrows down to “who collects the data? Who owns it? And is there a consent chain in place for all the collected data?” In other words, it’s about accountability. The onus usually lies with the entity that collects it, in this case, the health organisations. The only way out is to build an infrastructure that supports a privacy-compliant framework.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.